Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/7/2015
08:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

What Happens When Personal Information Hits The Dark Web

Experiment tracked the journey of a cache of phony names, SSNs, credit cards, and other personal information.

The bait--a trove of phony "stolen" data including several thousand Social Security numbers, credit cards, names, and email addresses--was swallowed within the first few days of being planted in the Dark Web. And when the 12-day experiment was over, the data had traveled to more than 22 different countries and been viewed nearly 1,100 times.

The experiment conducted by security vendor BitGlass was aimed at getting an inside look at just what happens after cyber criminals siphon personal information from retailers and other breached organizations. BitGlass researchers generated a list of 1,568 phony names, SSNs, credit card numbers, addresses, and phone numbers, rolled them in an Excel spreadsheet and then "watermarked" it with their code that silently tracks any access to the file.

They dropped the file on DropBox, as well as on seven infamous black market sites including Onion-pastebin and Paste-slampeech, and watched its journey across five continents, North America, Asia, Europe, Africa, and South America. In the end, it was downloaded by 47 different parties. It was mainly grabbed by users in Nigeria, Russia, and Brazil, with the most activity coming from Nigeria and Russia.

"Our goal was to see how liquid the market is for breached data," says Nat Kausik, CEO of Bitglass. "We were curious to see what happens to it after a breach."

Kausik says the experiment showed how people who frequent the cyber underground markets overwhelmingly preview the data to vet it. "People do cross-examine it and download it, looking for breached data," he says.

There was a significant participation of users from university networks overseas as well, he says, most likely because that's where open WiFi is most available.

The researchers were unable to see beyond the file's movements, but Kausik says once someone tried to use one of the "stolen" credit card numbers to make a purchase, for example, the transaction using a phony account ultimately would fail and the buyer would then realize he or she had been duped.

"We didn't put it up for sale," he says of the phony data sample file that BitGlass named "Employees.XLS."

The researchers spotted some forum users contacting the sources of other posted stolen data for more information on how to buy it in bulk. "We didn't post any contact information [with our file], so we don't know if the recipients were interested in buying more," he says.

Bitglass's watermark "phones home" when a file is opened or downloaded, grabbing IP address, geographic location, and the type of device accessing it.

The biggest takeaway of the experiment, Kausik says, was how easy it is to sell stolen information. "There is a well-established online marketplace" for it, he says.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon5164936000
50%
50%
anon5164936000,
User Rank: Apprentice
4/12/2015 | 4:23:15 AM
How they tracked the spreadysheet?
It looks like they just used the same tracking/tagging technology (but calling it "watermarking") as ReadNotify have been doing for over a decade.
anon8645060756
50%
50%
anon8645060756,
User Rank: Apprentice
4/9/2015 | 12:01:40 PM
Which sites received the most attention?
I would love to know whether the file was picked up from DropBox as well as the more nefarious sites.  We have users who want to use DropBox and I'd love to have a real-life example of why we don't want them to use it.

Yes, I know there are security settings, but I would venture to guess that all of my users don't know what those are and/or wouldn't bother to use them.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
4/8/2015 | 4:32:50 PM
1,100 views...
I can't decide if 1,100 views seems like a lot or not very many at all. I guess I would have expected that number to be higher, but then again, I imagine that the competition is pretty stiff on the black market -- high quality data from trusted sellers.
macker490
100%
0%
macker490,
User Rank: Ninja
4/8/2015 | 9:02:58 AM
you will not have learned anything useful
You should follow Brian Krebs

the people who deal in stolen dox pride themselvs in selling only quality stuff.   and their reputations rely on it.   it is very unlikely that this data will be offered by any reputable darknet dealer
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/7/2015 | 5:19:57 PM
Re: Honeypot
They kept it relatively low-key and generic, and didn't offer any "for sale" information, etc., so the file was more of a phony sample of stolen stuff. It's probably no more risky than a honeypot. 
RyanSepe
0%
100%
RyanSepe,
User Rank: Ninja
4/7/2015 | 2:47:45 PM
Honeypot
Interesting to see the tracking of how fast the data moved and to what purpose in what used. I can't help but feel this is a very similar practice to a honeypot however. And I think that with this premise you would draw the same type of attention. 

The practice of bating a malicious person is a dangerous concept in its smallest measurements. But when the bated individual turns out to be a nefarious user with expert level knowledge then the situation becomes truly dangerous. If I were BitGlass, I would be wary of running these experiments with that scope. Wouldn't want to become the target of an unscrupulous hacker with a vendetta.

 
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3896
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-3954
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
CVE-2019-10085
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-11038
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
CVE-2019-11039
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.